mike wrote:
Yes you can do it with only javascript but you'll need server components to deal with large files ... Which the OP does not have access to. Post and file limits could become an issue.


Not to mention flash and java penetration is huge. I think flash is on something like 96% of browsers now...

And more and more people are using something like noscript to block it because XSS hacks are out of control. It is too easy to publish a website and too many web developers only care about their own data, they don't care about protecting users from malicious content.

That's why more and more users who have flash installed are not letting web sites execute it (or anything).

If you are youtube, it is reasonable to require the user have flash installed. Otherwise there's a good chance they won't.

I don't let a site execute flash in my browser unless I'm sure I need it to get what I want. Sites that code in flash that don't need to, I'm not going to open up myself to possible XSS exploits just because they chose to make their site only work when I open up my browser to vulnerabilities.

Many corporate environments are now also mandating that flash and javascript be disables as well because of the XSS dangers.

Use Javascript to make life easier on those who have it enabled but if things don't work peachy without it, you are doing it wrong.

Use flash for what really genuinely requires flash, and file upload isn't one of them.

Once http://people.mozilla.org/~bsterne/content-security-policy/ is properly implemented - I intend to only allow sites that set a reasonable security policy to execute anything in my browser, and I suspect other users will do the same. Then maybe if you have properly coded your site to send a content-security-policy header with reasonable policies I might let you use flash to upload files, assuming your policy specifies the source for the flash must be on your domain, but right now there just isn't enough client side security available to properly protect the users who allow execution, so educated users are very leery of allowing anything to run in their browser.

If I attached "somefile.exe" and told you to run it, would you?

Web masters who require the user to allow execution are doing just that, and users who allow such execution of code they know nothing about are, to be blundt, fools and easy targets.

// steps off soap box - permanently for awhile, I'm getting too preachy

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to